A plain text file of over 1,800 Minecraft usernames and passwords has leaked online. At this stage, it is unclear as to how the details were obtained, or if the leak itself is a precursor to a much larger attack targeted at Minecraft.
The details available in the leak (which has been posted to Pastebin) allow anyone to log in to a legitimate user's account to download and install the full version of the game. More worrisome is the fact that the hack exposes the affected users to more malicious attacks if they've reused the password on other services.
According to security researcher Graham Cluley:
"Quite how criminals managed to steal the credentials for so many Minecraft users isn't clear. Possibilities range from simple phishing attacks, keylogging malware stealing players' details as they log into the game, or even a security breach at Minecraft itself. (Let's hope it's not the last one – because the game has over 100 million registered users)."
"And although some 1800+ usernames and passwords have been published online, there's no guarantee that whoever gained access to them hasn't got a whole lot more in their back pocket which they haven't chosen to release to the rest of the world."
Right now, there's no official statement from Minecraft (or Microsoft) acknowledging the leak. We'll update you on the situation when we hear more.
Source: Heise